Introduction

Scope of this ISA

1. This International Standard on Auditing (ISA) deals with the external auditor’s responsibilities relating to the work of internal auditors when the external auditor has determined, in accordance with ISA 315,^[1] that the internal audit function is likely to be relevant to the audit. (Ref: Para. A1–A2)
2. This ISA does not deal with instances when individual internal auditors provide direct assistance to the external auditor in carrying out audit procedures.

Relationship between the Internal Audit Function and the External Auditor

3. The objectives of the internal audit function are determined by management and, where applicable, those charged with governance. While the objectives of the internal audit function and the external auditor are different, some of the ways in which the internal audit function and the external auditor achieve their respective objectives may be similar. (Ref: Para. A3)
4. Irrespective of the degree of autonomy and objectivity of the internal audit function, such function is not independent of the entity as is required of the external auditor when expressing an opinion on financial statements. The external auditor has sole responsibility for the audit opinion expressed, and that responsibility is not reduced by the external auditor’s use of the work of the internal auditors.

Effective Date

5. This ISA is effective for audits of financial statements for periods beginning on or after December 15, 2009.

Objectives

6. The objectives of the external auditor, where the entity has an internal audit function that the external auditor has determined is likely to be relevant to the audit, are:

• To determine whether, and to what extent, to use specific work of the internal auditors; and
• If using the specific work of the internal auditors, to determine whether that work is adequate for the purposes of the audit.

[1] ISA 315, “Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and Its Environment,” paragraph 23.

Introduction

Scope of this ISA

1. This International Standard on Auditing (ISA) deals with the external auditor’s responsibilities relating to the work of internal auditors when the external auditor has determined, in accordance with ISA 315,^[1] that the internal audit function is likely to be relevant to the audit. (Ref: Para. A1–A2)
2. This ISA does not deal with instances when individual internal auditors provide direct assistance to the external auditor in carrying out audit procedures.

Relationship between the Internal Audit Function and the External Auditor

3. The objectives of the internal audit function are determined by management and, where applicable, those charged with governance. While the objectives of the internal audit function and the external auditor are different, some of the ways in which the internal audit function and the external auditor achieve their respective objectives may be similar. (Ref: Para. A3)
4. Irrespective of the degree of autonomy and objectivity of the internal audit function, such function is not independent of the entity as is required of the external auditor when expressing an opinion on financial statements. The external auditor has sole responsibility for the audit opinion expressed, and that responsibility is not reduced by the external auditor’s use of the work of the internal auditors.

Effective Date

5. This ISA is effective for audits of financial statements for periods beginning on or after December 15, 2009.

Objectives

6. The objectives of the external auditor, where the entity has an internal audit function that the external auditor has determined is likely to be relevant to the audit, are:

• To determine whether, and to what extent, to use specific work of the internal auditors; and
• If using the specific work of the internal auditors, to determine whether that work is adequate for the purposes of the audit.

[1] ISA 315, “Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and Its Environment,” paragraph 23.

A2.  Carrying out procedures in accordance with this ISA may cause the external auditor to re-evaluate the external auditor’s assessment of the risks of material misstatement. Consequently, this may affect the external auditor’s determination of the relevance of the internal audit function to the audit. Similarly, the external auditor may decide not to otherwise use the work of the internal auditors to affect the nature, timing or extent of the external auditor’s procedures. In such circumstances, the external auditor’s further application of this ISA may not be necessary.

Objectives of the Internal Audit Function (Ref: Para. 3)

A3. The objectives of internal audit functions vary widely and depend on the size and structure of the entity and the requirements of management and, where applicable, those charged with governance. The activities of the internal audit function may include one or more of the following:

• Monitoring of internal control. The internal audit function may be assigned specific responsibility for reviewing controls, monitoring their operation and recommending improvements thereto.
• Examination of financial and operating information. The internal audit function may be assigned to review the means used to identify, measure, classify and report financial and operating information, and to make specific inquiry into individual items, including detailed testing of transactions, balances and procedures.
• Review of operating activities. The internal audit function may be assigned to review the economy, efficiency and effectiveness of operating activities, including non-financial activities of an entity.
• Review of compliance with laws and regulations. The internal audit function may be assigned to review compliance with laws, regulations and other external requirements, and with management policies and directives and other internal requirements.
• Risk management. The internal audit function may assist the organization by identifying and evaluating significant exposures to risk and contributing to the improvement of risk management and control systems.
• The internal audit function may assess the governance process in its accomplishment of objectives on ethics and values, performance management and accountability, communicating risk and control information to appropriate areas of the organization and effectiveness of communication among those charged with governance, external and internal auditors, and management.

Determining Whether and to What Extent to Use the Work of the Internal Auditors

Whether the Work of the Internal Auditors Is Likely to Be Adequate for Purposes of the Audit (Ref: Para. 9)

A4. Factors that may affect the external auditor’s determination of whether the work of the internal auditors is likely to be adequate for the purposes of the audit include:

Objectivity

• The status of the internal audit function within the entity and the effect such status has on the ability of the internal auditors to be objective.
• Whether the internal audit function reports to those charged with governance or an officer with appropriate authority, and whether the internal auditors have direct access to those charged with governance.
• Whether the internal auditors are free of any conflicting responsibilities.
• Whether those charged with governance oversee employment decisions related to the internal audit function.
• Whether there are any constraints or restrictions placed on the internal audit function by management or those charged with governance.
• Whether, and to what extent, management acts on the recommendations of the internal audit function, and how such action is evidenced.

Technical competence 

• Whether the internal auditors are members of relevant professional bodies.
• Whether the internal auditors have adequate technical training and proficiency as internal auditors.
• Whether there are established policies for hiring and training internal auditors.

Due professional care

• Whether activities of the internal audit function are properly planned, supervised, reviewed and documented.
• The existence and adequacy of audit manuals or other similar documents, work programs and internal audit documentation.

Communication

Communication between the external auditor and the internal auditors may be most effective when the internal auditors are free to communicate openly with the external auditors, and:

• Meetings are held at appropriate intervals throughout the period;
• The external auditor is advised of and has access to relevant internal audit reports and is informed of any significant matters that come to the attention of the internal auditors when such matters may affect the work of the external auditor; and
• The external auditor informs the internal auditors of any significant matters that may affect the internal audit function.

Planned Effect of the Work of the Internal Auditors on the Nature, Timing or Extent of the External Auditor’s Procedures(Ref: Para. 10)

A5. Where the work of the internal auditors is to be a factor in determining the nature, timing or extent of the external auditor’s procedures, it may be useful to agree in advance the following matters with the internal auditors:

• The timing of such work;
• The extent of audit coverage;
• Materiality for the financial statements as a whole (and, if applicable, materiality level or levels for particular classes of transactions, account balances or disclosures), and performance materiality;
• Proposed methods of item selection;
• Documentation of the work performed; and
• Review and reporting procedures.

Using Specific Work of the Internal Auditors (Ref: Para. 11)

A6. The nature, timing and extent of the audit procedures performed on specific work of the internal auditors will depend on the external auditor’s assessment of the risk of material misstatement, the evaluation of the internal audit function, and the evaluation of the specific work of the internal auditors. Such audit procedures may include:

• Examination of items already examined by the internal auditors;
• Examination of other similar items; and
• Observation of procedures performed by the internal auditors.